Understanding Kubernetes: Part 20-Network Policy

If you’ve been following our Kubernetes series 2025, welcome back! For new readers, check out Part 19: Headless Service

NetworkPolicy in Kubernetes

A NetworkPolicy in Kubernetes is used to control the communication between Pods within a cluster. It allows fine-grained control over ingress (incoming) and egress (outgoing) traffic to and from Pods based on labels, IP blocks, namespaces, and ports. NetworkPolicies help enforce security by restricting unauthorized access to applications running inside the cluster.

By default, Kubernetes allows unrestricted communication between all Pods; applying a NetworkPolicy restricts communication based on defined rules.

Example Use Case:

Suppose you have a frontend application that should only communicate with backend services and should not accept traffic from any other Pods. A NetworkPolicy can be applied to enforce this rule, ensuring only authorized traffic reaches the backend services.

Capabilities of NetworkPolicy:

1. Pod-to-Pod Communication Control:

• Restricts communication between Pods based on labels and namespaces.

2. Ingress Traffic Control:

• Defines rules for incoming traffic to a Pod.

3. Egress Traffic Control:

• Controls outbound traffic from a Pod to external services.

4. IP Block Restrictions:

• Allows or denies traffic based on specific IP CIDR blocks.

5. Namespace Isolation:

• Limits communication between Pods from different namespaces.

6. Protocol and Port Control:

• Filters traffic based on protocol (TCP, UDP) and specific ports.

YAML Example:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
  namespace: production
spec:
  podSelector:
    matchLabels:
      app: backend
  policyTypes:
  - Ingress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

Explanation:

• This NetworkPolicy applies to Pods labeled app=backend in the production namespace.

• It allows incoming traffic only from Pods labeled app=frontend.

• The traffic is restricted to port 8080 using the TCP protocol.

In My Previous Role:

As a Senior DevOps Engineer, I implemented NetworkPolicies to enhance the security posture of our Kubernetes clusters by segmenting services and ensuring controlled access. Some of my key contributions included:

• Designed and enforced namespace-specific policies to isolate critical services from less secure environments.

• Implemented egress rules to allow Pods to access only approved external services, minimizing the risk of data exfiltration.

• Used Prometheus and Grafana to monitor NetworkPolicy effectiveness and identify unauthorized access attempts.

• Collaborated with security teams to define policies aligning with compliance standards such as PCI-DSS and ISO 27001.

🚀 Ready to Master Kubernetes?

Take your Kubernetes journey to the next level with the Master Kubernetes: Zero to Hero course! 🌟 Whether you’re a beginner or aiming to sharpen your skills, this hands-on course covers:

✅ Kubernetes Basics — Grasp essential concepts like nodes, pods, and services. ✅ Advanced Scaling — Learn HPA, VPA, and resource optimization. ✅ Monitoring Tools — Master Prometheus, Grafana, and AlertManager. ✅ Real-World Scenarios — Build production-ready Kubernetes setups.

🎓 What You’ll Achieve

💡 Confidently deploy and manage Kubernetes clusters. 🛡️ Secure applications with ConfigMaps and Secrets. 📈 Optimize and monitor resources for peak performance.

Don’t miss your chance to become a Kubernetes expert! 💻✨